Norton VPN via Open VPN on Linux OS

xkilldash9x

              [GUIDE] Setting up Norton-VPN on Linux
 
                    By: 
                        ****************x killdash9 x****************

1. Objective

This guide details how to reverse engineer the Norton Secure VPN Android app to enable its use on a Linux desktop with a standard OpenVPN client. This is necessary because the vendor does not provide a native Linux client.

2. Background

The Norton Secure VPN client doesn't use static .ovpn files. It acquires connection parameters dynamically:

The client authenticates against a private API to get a temporary session token.
 
Using this token, it requests a list of available, load-balanced VPN servers.
 
The client then constructs an OpenVPN configuration in memory using the acquired server details and token.

This guide provides the steps to discover and replicate this API communication.

3. Prerequisites

This is a complete list of all components needed for this project.

Hardware 💻

A Linux computer to serve as the host for the tools and final client.
 
A rooted Android phone or a properly configured Android emulator.

Accounts & Files 📂

An active Norton Secure VPN subscription.
 
The Norton Secure VPN APK file. Older versions (circa 2023) are often easier to analyze.

Host Machine Software (Linux) 🐧

OpenVPN: The client for the final connection.
 
JADX-GUI: For decompiling the APK.
 
mitmproxy: For intercepting network traffic.
 
Frida Tools: For dynamic instrumentation (pip install frida-tools).
 
Android Debug Bridge (adb): For communicating with the Android device.
 
Standard Utilities: curl, wget, unzip, and jq.

Mobile Device Software (Android) 🤖

frida-server: The binary that must be running on the rooted device.

4. Procedure

This process has four parts: code analysis, environment setup, traffic capture, and data extraction.

Part A: Static Analysis (Code Reconnaissance)

Load the Norton Secure VPN APK file into JADX-GUI.
 
Search the decompiled code for strings related to network operations, focusing on keywords like auth, token, serverlist, gateway, or API URLs.
 
The goal is to identify the general structure of the application's API. Note any findings.

Part B: Interception Environment Setup

On your Linux Host, open a terminal and run         

mitmproxy

On your Android Device:

Configure your Wi-Fi settings to use a manual HTTP proxy. Set the proxy IP to your Linux machine's local IP and the port to 8080.
 
Open a browser, navigate to http://mitm.it, and install the mitmproxy CA certificate.
 
Push the frida-server binary to your device via adb and run it as root:

adb push frida-server /data/local/tmp/
adb shell "su -c /data/local/tmp/frida-server"
Part C: Dynamic Analysis & Traffic Capture

Bypass SSL Pinning. The Norton app will reject mitmproxy's certificate. Use Frida to disable this protection at runtime. Run the following command from your Linux host, pointing to a universal SSL unpinning script (many are available online):

The package name is 'com.symantec.norton.vpn'

frida -U -f com.symantec.norton.vpn --no-pause -l /path/to/frida-universal-ssl-unpinning.js
Capture API Calls. The previous command launches the app. Log in with your credentials.

Inspect Traffic. Observe the mitmproxy window on your host. You will now see the decrypted HTTPS requests from the app.

Part Data Extraction

Analyze the captured flow in mitmproxy to identify two key interactions:

Authentication Request: Find the POST request sent during login. Note the URL, headers, and the structure of both the request and response body (likely JSON). The response should contain an access token.
 
Server List Request: Find the subsequent request that fetches the VPN servers. Note how the auth token is used in the headers (e.g., as a Bearer token) and the structure of the JSON response containing the server list.

5. Implementation: The Automation Script

With the captured data, create a Bash or Python script to automate the connection. The script must:

Authenticate: Send a POST request with your credentials to the auth endpoint.
 
Extract Token: Parse the response to get the access token.
 
Fetch Server List: Send a request to the server list endpoint using the token.
 
Select Server: Parse the response and choose a server.
 
Generate Config: Create a complete .ovpn file with the server's address.
 
Execute OpenVPN: Launch the connection with the generated config.

sudo openvpn --config norton_generated.ovpn --auth-user-pass credentials.txt

the file will look something like this -

_# Dynamically generated Norton VPN config

client
dev tun
proto udp

This is the server IP you extracted from the API response

remote 192.0.2.123 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-GCM
verb 3
auth-user-pass credentials.txt

-----BEGIN CERTIFICATE-----
(Content of the CA certificate extracted from the APK or API response)
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
(Content of the client certificate, likely static from the APK)
-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----
(Content of the client key, likely static from the APK)
-----END PRIVATE KEY-----

_
## ## Disclaimer: This guide is for educational purposes. Reverse engineering software may violate the provider's terms of service. Proceed at your own risk.